Docker无根无法拉映像 [英] Docker rootless unable to pull images
问题描述
按照 https://docs.docker,我正在服务器上无源运行docker.com/engine/security/rootless/.
借助此功能,我可以拉出并运行hello-world.但是,每当我要提取更复杂的图像时,都会遇到以下错误:
With this I am able to pull and run hello-world. But whenever I want to pull a more complex image, I run into the following error:
$ docker pull ubuntu
Using default tag: latest
latest: Pulling from library/ubuntu
83ee3a23efb7: Extracting [==================================================>] 28.57MB/28.57MB
db98fc6f11f0: Download complete
f611acd52c6c: Download complete
failed to register layer: ApplyLayer exit status 1 stdout: stderr: lchown /etc/gshadow: operation not permitted
docker info
的输出:
$ docker info
Client:
Context: default
Debug Mode: false
Server:
Containers: 0
Running: 0
Paused: 0
Stopped: 0
Images: 1
Server Version: 20.10.2
Storage Driver: vfs
Logging Driver: json-file
Cgroup Driver: none
Cgroup Version: 1
Plugins:
Volume: local
Network: bridge host ipvlan macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
Swarm: inactive
Runtimes: io.containerd.runtime.v1.linux runc io.containerd.runc.v2
Default Runtime: runc
Init Binary: docker-init
containerd version: 269548fa27e0089a8b8278fc4fc781d7f65a939b
runc version: ff819c7e9184c13b7c2607fe6c30ae19403a7aff
init version: de40ad0
Security Options:
seccomp
Profile: default
rootless
Kernel Version: 4.15.0-135-generic
Operating System: Ubuntu 18.04.3 LTS
OSType: linux
Architecture: x86_64
CPUs: 16
Total Memory: 125.9GiB
Name: ourserver
ID: ZZ4G:IF5W:HJA4:GBZ4:BOHY:YNLX:EPTA:56OH:REXN:QJ5A:2HL3:KWWX
Docker Root Dir: /home/honerkam/.local/share/docker
Debug Mode: false
Username: dhonerkamp
Registry: https://index.docker.io/v1/
Labels:
Experimental: false
Insecure Registries:
127.0.0.0/8
Live Restore Enabled: false
Product License: Community Engine
WARNING: Running in rootless-mode without cgroups. To enable cgroups in rootless-mode, you need to boot the system in cgroup v2 mode.
WARNING: bridge-nf-call-iptables is disabled
WARNING: bridge-nf-call-ip6tables is disabled
分配了Subid并安装了newuidmap,newgidmap:
Subids are assigned and newuidmap, newgidmap are installed:
$ grep ^$(whoami): /etc/subuid
honerkam:231072:165537
$ grep ^$(whoami): /etc/subgid
honerkam:231072:165537
$ which newuidmap
/usr/bin/newuidmap
$ which newgidmap
/usr/bin/newgidmap
我可以想到的这个设置中唯一不寻常的部分是,我可以访问已安装的文件系统上的驱动器,而引导根无法访问它.我自己也具有root用户访问权限.
The only unusual part in this setup I can think of is that I have access to my drive on an mounted filesystem, boot root does not have access to it. I also have root access myself.
任何引起此问题的线索将不胜感激!
Any clues on the cause of this issue would be highly appreciated!
推荐答案
如果有人遇到此问题,请复制我在github上收到的答案:
Copying an answer I received on github if anyone else runs into this issue:
NFS不支持CAP_DAC_OVERRIDE,因此您需要在〜/.config/docker/daemon.json中指定自定义{"data-root":"//somewhere-out-of-nfs"},以存储图像放在非NFS位置.
NFS doesn't support CAP_DAC_OVERRIDE, so you need to specify custom {"data-root":"/somewhere-out-of-nfs"} in ~/.config/docker/daemon.json to store the images in a non-NFS location.
请参见 https://www.redhat.com/sysadmin/rootless-podman-nfs 以获得技术详细信息.
See https://www.redhat.com/sysadmin/rootless-podman-nfs for technical details.
这篇关于Docker无根无法拉映像的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!